Interset UEBA

The 7 indicators of insider threats

Cybersecurity experts warn businesses that detected or not, there is someone lurking within their networks doing things they are not supposed to do. There are seven different insider threats that required detection to prevent data breaches like those at Equifax, Uber, and the SEC.

Learn more
What types of insider threats does Interset UEBA detect?

Interset puts the power back in the hands of the SOC by revealing insider threats that are often overlooked by rules- and threshold-based systems and helping mitigate the impact of data breaches and loss of critical IP. Using advanced mathematical models and unsupervised machine learning, Interset reveals key indicators of insider threats, such as account misuse, compromised accounts, infected host, internal recon, lateral movement, insider fraud, and data exfiltration.

Insider threats often precede data breaches
Insider threats often precede data breaches

Data breaches involve multi-stage advanced persistent threats (APT), which are difficult to detect with rules and thresholds based systems. Interset security analytics uncover the hidden threats at different phases of the attack cycle.

For example, security analytics detects abnormal behavior indicative of account misuse or account compromise. Typically this is followed by internal reconnaissance and likely lateral movement of data, ultimately resulting in a data breach.

Infected hosts can also be a factor in data breaches if the system has been compromised to automatically send data externally, another case that security analysts can detect.

How does AI help prevent insider threats?

Finding signs of these insider threats and connecting the dots between them is critical to protecting enterprises and consumers from criminal minds.

An analytics-based approach checks application log files for unusual access patterns, network traffic for signs of suspicious connections, data protection logs for transfers of large chunks of data, and additional factors when available. It then runs an integrated mathematical analysis of these multiple factors together to provide indicators of an account takeover or compromise.

The contextual correlation and analysis of data give security analytics the ability to detect threats operating inside the business.

Insider threat or inside threat?

There is a distinction between an ‘insider threat’ and an ‘inside threat.’ An insider is an entity within an organization, such as a disgruntled employee with the ability to do damage to the business from within. An external attacker, however, can also do damage from within a business (i.e., when malicious software is used to gain access to an enterprise via a phishing attack). In such a case, the attacker can gain control over a legitimate user’s credentials and move laterally within the targeted organization. The attacker is not an insider, but once penetrated, and with that level of access, the threat has moved ‘inside.’ Such an attacker often goes to some lengths to avoid raising alarms by performing any activity not already permitted by IT policy, and thus often flies under the radar. The ability of an intruder to disguise himself or herself as a legitimate user necessitates a security analytics approach.

Impact of insider threats

When surveyed, enterprises shared their concerns:

  • Riskiest Insiders are regular employees (56%), privileged IT users/admins (55%), contractors, services providers and other temporary workers (42%), privileged business users/executives (29%), and customers clients (22%)
  • Data most vulnerable to insider attacks are confidential business information (57%), privileged account information (52%), sensitive personal information (49%) and intellectual property (32%), employee data (31%), operational infrastructure data (27%)
  • The biggest enablers of accidental insider threats are phishing (67%), weak/reused passwords (56%), unlocked devices (44%), bad password/sharing practice (44%), unsecured WiFi networks (32%)
  • Biggest barriers to insider threat management: lack of training & expertise (52%0, lack of suitable technology (43%), lack of collaboration among separate department (34%), lack of budget (34%), lack of staff (25%)

According to the 2019 Verizon Data Breach Investigations Report, insider threats continue to play a role in today’s data breaches. The report found that:

  • 34% of data breaches involved internal actors
  • 15% of data breaches were caused by misuse from authorized users
  • Errors were causal events in 21% of data breaches
  • 32% of data breaches involved phishing
  • 29% of data breaches involved the use of stolen credentials

To make matters worse, 56% of breaches took months or longer to discover. Attack techniques are becoming more sophisticated and allowing for quicker time-to-compromise, which means that it’s critical for security teams and detection methods to be proactive and keep pace.

Request a demo of Interset UEBA

See how Interset UEBA detects and responds to real threats before your data is stolen by scheduling a demo with one of our security professionals.

release-rel-2020-1-2-3618 | Wed Jan 22 16:58:54 PST 2020
Wed Jan 22 16:58:54 PST 2020